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In the Claims 

1. (Currently Amended) A method of controlling access to a network, comprising: 
requesting an identity from a mobile client attempting to connect to the network; 
receiving the identity; 

associating location information corresponding to the client with the identity; 
authenticating the identity; 

comparing the location information against a policy designating locations, if any, at 
which the client is permitted to connect to the network; and 

deciding whether to grant or deny the client access to the network based on the 
authenticity of the identity and the comparison of the location information; 

wherein the location information indicates the location of a network switch to which the 
client is attempting to connect, and the location information indicates the association between a 
particular port of the network switch and the physical location of an edge device or a wired user 
station associated with the particular port of the network switch . 

when access is granted, p e rmitting roaming of the mobil e cli e nt within the n e twork; 

during said roaming, wh e n signal quality from a curr e nt acc e ss point in communication 
with the mobil e cli e nt d e t e riorates sufficiently, locating another access point; 

when an o t he r a cc e ss poi nt i s lo c a t ed, a ssoemtrng^fre-mobile c l ien t w it h t h e ne wly located 
access point and allowing th e cli e nt to continue to access the n e twork upon determining, by 
comparing updat e d l ocation information corresponding to the mobil e cli e nt against the policy, 
that the mobile cli e nt is still authorized to acc e ss the network 

2. (Original) The method of claim 1 , further comprising: 

passing the identity and the location information to an authentication server, wherein the 
authentication server performs the steps of authenticating, comparing and deciding. 
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3. (Previously Presented) The method of claim 2, wherein the authentication server is a 
RADIUS server. 

4. (Original) The method of claim 1 , wherein the identity includes information selected 
from the group consisting of a user name, a user password, a certificate, a media access control 
(MAC) address, a shared encryption key, a smart card identifier, and any combination of the 
foregoing information. 

5. (Original) The method of claim 1, wherein the client is a user station capable of 
connecting to the network through an access point. 

6. (Original) The method of claim 1 , wherein the client is a wired device capable of 
connecting to the network through an Ethernet switch port. 

7. (Previously Presented) The method of claim 1 , comprising: 

using a mechanism selected from the group comprising TLS, TTLS, MD5, EAP-TLS, and 
any combination of the foregoing to authenticate the identity. 

8. (Original) The method of claim 1 , wherein the location information indicates the location 
of a network switch to which the client is attempting to connect. 

9. (Original) The method of claim 1 , wherein the location information indicates the location 
of an edge device for connecting the client to the network. 

10. (Currently Amended) A network system, comprising: 
a network; 

an authenticator for requesting an identity from a client and for associating location 
information corresponding to the client with the identity , wherein the client communicates to the 
authenticator from a user station : 

a data structure, accessible by an authentication server, associating identities of clients 
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with their authorized access locations; 

the authentication server, upon receiving the identity and associated location information 
from the authenticator, deciding whether to grant or deny the client access to the network by 
accessing the data structure and determining that the location information corresponding to the 
client specifies a location that is one of the authorized access locations, if any, for the client as 
maintained in the data structure; and 

a network manager that allows a network administrator to cr e ate and update the data 
structure 

a network manager comprising an application running on a server, wherein the 
a pplication permits the network administrator to create and update a policy table in the 
authentication server . 

1 1 . (Original) The network system of claim 10, wherein the authenticator resides in a 
network switch. 

12. (Original) The network system of claim 10, wherein the authenticator resides in an edge 
device. 

13. (Original) The network system of claim 10, further comprising: 
an edge device for connecting a user station to a network switch. 

14. (Original) The network system of claim 1 3, wherein the edge device is a wireless access 
point. 

1 5. (Currently Amended) The network system of claim 14, wherein the user station capable 
of connecting to the network through the access point. 

1 6. (Original) The network system of claim 10, wherein the client is a wired device capable 
of connecting to a network switch through an Ethernet port. 
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1 7. (Original) The network system of claim 10, wherein the location information indicates 
the location of a network switch to which the client is attempting to connect. 

1 8. (Original) The network system of claim 10, wherein the location information indicates 
the location of an edge device for connecting the client to the network. 

19. (Original) The network system of claim 18, further comprising an interface for 
permitting an administrator to associate the location information to the edge device. 

20. (Original) The network system of claim 10, wherein the authentication server is included 
in a network switch. 

21 . (Original) The network system of claim 10, wherein the authentication server 
authenticates the identity. 

22. (Original) The network system of claim 10, wherein the authentication server includes a 
policy designating locations, if any, at which the client is permitted to connect to the network. 

23. (Previously Presented) The network system of claim 10, wherein 
the authentication server is a RADIUS server. 

24. (Original) The network system of claim 10, wherein the identity includes information 
selected from the group consisting of a user name, a user password, a certificate, a media access 
control (MAC) address, a shared key, a smart card identifier, and any combination of the 
foregoing information. 

25. (Previously Presented) The network system of claim 10, further comprising a network 
switch that comprises: 

an authentication mechanism selected from the group consisting of TLS, TTLS, MD5, 
EAP-TTLS, EAP-TLS, and any combination of the foregoing. 
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26. (Original) The network system of claim 10, wherein the authentication server comprises: 

an authentication mechanism selected from the group consisting of TLS, TTLS, MD5, 
EAP-TTLS, EAP-TLS, and any combination of the foregoing. 

27. (Currently Amended) A network system, comprising: 

a plurality of edge devices capable of communicating with a plurality of user stations over 
one or more wireless channels; 

a n e twork switch including a plurality of ports for conn e cting the e dge devic e s to a 
network; 

one or more network switches: 

aft- a first application running on the one or more network switches n e twork switch , for 
requesting station identities from the user stations and for associating corresponding location 
information with each of the station identities; 

a data structure, acc e ss i bl e by an auth e ntication s erver, associatin g id e ntities of cli e nt s 
with th e ir authoriz e d acc e ss location s ; 

the an authentication server for deciding whether to grant or deny each of the user stations 
access to the network based upon the corresponding identify and location information by 
acc e s s ing th e data s tructure and d e termining, for e ach user station, that the location 4n formation 
corr e sponding to th e user station specifies a location that i s one of th e authoriz e d acc e ss 
locations, if any, for the user s tation a s maintained in the data structur e ; and 

a n e twork manager, d ire ctly connect e d to the auth e ntication s e rv e r, that allows a network 
administrator to cr e at e and update th e data structur e ; 

a network manager comprising a server that runs an application that permits a network 
administrator to configure the location information and software images stored in the one or 
more switches: and 
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a network that connects the network manager, the authentication server and the one or 
more switches; 

wherein the network manager either (1) connects to the network or (2) directly connects 
to the one or more switches and directly connects to the authentication server, 

whereby when the network manager directly connects to the one or more switches and the 
authentication server, the network is bypassed . 

28. (Original) The system of claim 27, wherein at least one of the edge devices is a wireless 
access point. 

29. (Currently Amended) The system of claim 27, further comprising a user station that is a 
wired device for directly connecting to one of the ports of the network switch. 

30. (Original) The system of claim 27, wherein the location information indicates the 
location of the network switch. 

3 1 . (Original) The system of claim 27, wherein the location information indicates the 
location of one of the edge devices. 

32. (Original) The system of claim 27, wherein the network switch includes an interface for 
permitting an administrator to associate the location information to the edge devices. 

33. (Original) The system of claim 27, wherein the network switch includes an authenticator 
for authenticating the station identities. 

34. (Original) The system of claim 27, wherein the authentication server authenticates the 
station identities. 

35. (Original) The system of claim 27 ? wherein the authentication server includes a policy 
designating locations, if any, at which the user stations are permitted to connect to the network. 
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36. (Previously Presented) The system of claim 27, wherein 
the authentication server is a RADIUS serve. 

37. (Original) The system of claim 27, wherein the station identities includes information 
selected from the group consisting of a user name, a user password, a certificate, a media access 
control (MAC) address, a shared key, a smart card identifier, and any combination of the 
foregoing information. 

38. (Previously Presented) The system of claim 27, further comprising: 

an authentication mechanism selected from the group consisting of TLS, TILS, MD5, 
EAP-TTLS, EAP-TLS, and any combination of the foregoing. 

39. (Currently Amended) A network system for controlling access to a network, comprising: 

means for requesting an identity from a mobile client attempting to connect to the 
network; 

means for receiving the identity; 

first associating means for associating location information corresponding to the client 
with the identity; 

authenticating means for authenticating the identity; 

means for comparing the location information against a policy designating locations, if 
any, at which the client is permitted to connect to the network; 

means for deciding whether to grant or deny the client access to the network based on the 
authenticity of the identity and the comparison of the location information, and , when acc e ss is 
gran t ed,-per mi ttin g - r o am ing of-t h e- mob ile cl ie nt within th e n e twork; 

means for locating anoth e r acc e ss point upon det e cting, during said roaming, wh e n s ignal 
quality from a curr e nt acc e s s point in communication with th e mobile cli e nt ha s det e riorat e d 
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suffici e ntly; 



second associating means for associating the mobil e cli e nt with the n e wly located acc e ss 



updat e d location information corresponding to th e mobil e cli e nt against the policy, that th e 
mobil e cli e nt i s still authoriz e d to acc e ss the n e twork, and 

a means for network management comprising a means for a server that runs an 
application that permits a network administrator the means to configure the location information 
and software images stored in means for switching; and 

a network means that connects the means for network management the means for 
authentication and the means for switching; 

wherein the network system further comprises a means for network management, wherein 
the means for network management configures the means for authenticating, 

wherein the means for network management either (1) connects to the network or (2) 
directly connects to the means for switching and directly connects to the means for 
authentication, 

whereby when the means for network management directly connects to the means for 
switching and the means for authentication, the means for network is bypassed. 

40. (Original) The system of claim 39. wherein the identity includes information selected 
from the group consisting of a user name, a user password, a certificate, a media access control 
(MAC) address, a shared key, a smart card identifier, and any combination of the foregoing 
information. 

41. (Original) The system of claim 39, wherein the client is a wireless device capable of 
connecting to the network through an access point. 
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42. (Original) The system of claim 39, wherein the client is a wired device capable of 
connecting to the network through an Ethernet port. 

43. (Currently Amended) The system of claim 39, wherein the authenticating m e an s means 
for authentication includes: 

an authentication mechanism selected from the group consisting of TLS, TTLS, MD5, 
EAP-TTLS, EAP-TLS, and any combination of the foregoing. 

44. (Original) The system of claim 39, wherein the location information indicates the 
location of a net work switch to which the client is attempting to connect. 

45. (Original) The system of claim 39, wherein the location information indicates the 
location of a edge device for connecting the client to a network switch. 

46. (Currently Amended) The method of claim 1 wherein the mobile client is associated with 
the newly located access point upon authenticating the identity of the mobile client and 
determining, by comparing updated location information corresponding to the mobile client 
against the policy, that the mobile client is still authorized to access the network. 

47. (Currently Amended) The system of claim 39 wherein the second associating means 
associates the mobile client with the newly located access point upon authenticating the identity 
of the mobile client and determining, by comparing updated location information corresponding 
to the mobile client against the policy, that the mobile client is still authorized to access to the 
network. 

48. (Previously Presented) The method of claim 8, wherein the location information 
indicates the location of a port of a network switch to which the client is attempting to connect. 

49. (Previously Presented) The network system of claim 1 7, wherein the location 
information indicates the location of a port of a network switch to which the client is attempting 
to connect. 
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50. (Previously Presented) The network system of claim 24, wherein the identity includes a 
smart card identifier. 

51. (Previously Presented) The system of claim 37, wherein the station identities includes a 
smart card identifier. 
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